Author
Topic: Why 2FA Is Stupid (Read 1214 times)

One of the idiocies of our modern world is the 2-factor authentication or 2FA. It's one of those things, like airport security, which at first glance, without turning your brain on, make sense, but in reality don't.

So what is wrong with it?

1. If you're simply using a second password, you add nothing but more hassle for the user to manage his passwords.

If he can't secure one password, what makes you think he will be able to secure two?

2. If you're using email then it's no different than just using a second password.

3. Now to the most popular option - cellphones.

The architecture of cellular networks was designed at approximately the same time as the Internet, when nobody really thought about security. As a result, it's quite easy to hack.

For example, I never had any issues with pure password-based systems, but in just last year alone, my SIM-card was cloned twice! Both times hackers stole all the money from the phone account and tried to access my bank.

Fortunately, the bank implements 2FA with additional protection - they don't just rely on SMS (probably because they were hacked a few times this way), they track SIM-card internal ID number and lock your account if it's different. To remove the lock you have to call their user support and that's where their intelligence ends, because now I only need to know my birthday and the name of one of my parents to get in. Hardly secure information.

Phone companies are not interested in investigating such cases and stolen amounts are too small to warrant visiting a police station.

And some companies are not as smart as my bank and allow cellphones to be used as the primary way of authentication, for example you can simply reset your password via SMS! Which effectively turns 2FA into "1FA by cellphone", and phones are easily hackable. There were stories recently that Telegram accounts were hacked this way.

Moreover, 2FA makes users less careful with their passwords - they are now more relaxed, because they think they have additional protection.

Meanwhile it adds a lot of inconvenience. Losing or changing your phone, or any other problems with connectivity - and you now can't access any of your accounts!

It also adds mental cost, and I noticed that I use services with mandatory 2FA a lot less often. Even if it's not hard to wait for the SMS, pick up your phone, read the code, type it, delete SMS, it's still a kind of chore that the brain would like to avoid.

Experts have been warning for years about security blunders in the Signaling System 7 protocol – the magic glue used by cellphone networks to communicate with each other.

These shortcomings can be potentially abused to, for example, redirect people's calls and text messages to miscreants' devices. Now we've seen the first case of crooks exploiting the design flaws to line their pockets with victims' cash.

Quote

In other words, thieves exploited SS7 to intercept two-factor authentication codes sent to online banking customers, allowing them to empty their accounts. The thefts occurred over the past few months, according to multiple sources.

In 2014, researchers demonstrated that SS7, which was created in the 1980s by telcos to allow cellular and some landline networks to interconnect and exchange data, is fundamentally flawed. Someone with internal access to a telco – such as a hacker or a corrupt employee – can get access to any other carrier's backend in the world, via SS7, to track a phone's location, read or redirect messages, and even listen to calls.

After talking at length with customer service reps, I learned that the hacker did not need to give them my pin number or my social security number and was able to get approval to takeover my cell phone number with simple billing information.

The promise of two-factor began to unravel early on. By 2014, criminals targeting Bitcoin services were finding ways around the extra security, either by intercepting software tokens or more elaborate account-recovery schemes. In some cases, attackers went after phone carrier accounts directly, setting up last-minute call-forwarding arrangements to intercept codes in transit.